Skip to content
Trust, Risk & Governance

AI Use Policy Template for Small Business (Copy-and-Edit Outline)

A free AI use policy template outline for small businesses, covering approved tools, data rules, disclosure, and human review, in plain language.

By Ben Behmer· Updated June 17, 2026· 4 min read· For Small business owners

An AI use policy for a small business is a short document that tells your team which AI tools they may use, what data they must never paste in, when a human has to review output, and what to tell customers. You can fit a workable version on two pages. The outline below is a starting point you can copy and edit.

Why a one-page policy beats no policy

Most small teams already use AI informally. A short policy turns scattered habits into shared rules, which lowers the risk of a data leak or a public error. It does not need to be a legal document to be useful.

The policy template outline

Each section below should be a short paragraph or bullet list. Keep the language plain so people actually read it.

  1. Purpose: one sentence on why the policy exists and who it applies to.
  2. Approved tools: the specific tools allowed, and a note that others need sign-off.
  3. Data rules: never paste customer personal data, passwords, financials, or anything confidential into a public tool.
  4. Human review: which outputs must be checked by a person before they are sent or published.
  5. Disclosure: when and how you tell customers AI was involved.
  6. Accuracy: the requirement to fact-check claims, numbers, and names.
  7. Ownership and accounts: use of company accounts, not personal logins, and who owns the output.
  8. Reporting problems: how to flag a mistake or a concern, and who owns the policy.

The data rules deserve their own paragraph

The fastest way to get into trouble is pasting sensitive information into a tool that may use it for training. Spell out exactly what is off-limits and offer an approved alternative for sensitive work. The Pew Research work on AI and privacy shows the public is broadly cautious about how personal data is used, which is worth keeping in mind for customer trust.

Human review is the safety net

Name the moments where a human must review: anything sent to a customer, anything published, any number or legal claim, and any decision about a person. This single rule prevents most AI-related mistakes. Our AI governance checklist expands on this.

Roll it out without a meeting marathon

  1. 1

    Draft from the outline

    Fill each section with your specifics in plain language..

  2. 2

    Review with a few people

    Get reactions from the staff who use AI most..

  3. 3

    Share and acknowledge

    Send it, ask people to confirm they read it, and answer questions..

  4. 4

    Revisit quarterly

    Tools change fast; review the policy on a set schedule..

Make the policy easy to actually follow

A policy only works if people can recall it at the moment they are about to paste something into a tool. That argues for plain wording, short sections, and one or two rules that everyone can repeat from memory. If the document reads like a contract, it will sit unread and your real policy becomes whatever habits people fall into. Aim for a version someone could summarize back to you after a single read.

It also helps to pair every "do not" with an approved alternative, so the policy guides work rather than blocking it. If staff cannot paste customer data into a public tool, tell them what they can do instead: anonymize it, use a vetted business-tier tool, or hand the task to a named person. Broad public research, such as the Pew Research work on AI, shows people care a great deal about how their data is handled, so a policy that protects customer information is also protecting your reputation. Tie these rules to the broader practices in our governance checklist.

Give the policy an owner and a review date

A policy without an owner quietly drifts out of date as tools change and new ones appear. Name one person responsible for keeping the approved-tools list current, fielding questions, and running the quarterly review. That does not have to be a senior role; often the internal AI champion is the natural fit, since they already track what the team is using. The point is that someone, specifically, is accountable for the document staying useful.

Set a recurring calendar reminder to revisit the policy every quarter. At each review, check whether new tools have crept into use without sign-off, whether the data rules still match how the team works, and whether any incident revealed a gap. A short, living policy that gets a 20-minute refresh four times a year will protect you far better than a thorough one written once and forgotten. Treat it as a working document, not a one-time compliance exercise.

How long should an AI policy be? +

For most small businesses, one to two pages is enough. Short policies get read; long ones get ignored.

Do I need a lawyer to write one? +

Not for a basic internal policy. If you are in a regulated field or handle sensitive data, have counsel review the data and disclosure sections.

What is the most important rule to include? +

The data rule. Clearly state what staff must never paste into public AI tools, and offer an approved alternative.

How often should we update it? +

Review it at least quarterly. AI tools and their data practices change quickly.

Keep reading

Insight

When (and When Not) to Let AI Make a Decision

Read → Insight

How to Fact-Check AI Before It Reaches a Customer

Read → Insight

Disclosing AI to Your Customers: How and When

Read →